diff options
author | Andrew Tridgell <tridge@samba.org> | 2004-11-02 22:01:11 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:05:21 -0500 |
commit | acb23b2c5fa02ebbee762a8bf4b9d1fec40d4fea (patch) | |
tree | fc172c72d1054eb73d37549a4bc8b0c7d32cca14 | |
parent | bd6bc9c5ee434793686981413c14646a06cf092f (diff) | |
download | samba-acb23b2c5fa02ebbee762a8bf4b9d1fec40d4fea.tar.gz samba-acb23b2c5fa02ebbee762a8bf4b9d1fec40d4fea.tar.bz2 samba-acb23b2c5fa02ebbee762a8bf4b9d1fec40d4fea.zip |
r3493: fixed a bug in readx reply where the client specifies an invalid high
part of the maxcnt. This caused an allocation failure and server exit.
Note: we need to go back over all the places in the core smb_server
that can cause allocation failures based on user input and fix them to
instead produce a SMB error.
Thanks to Susan for finding this bug.
(This used to be commit 4aed1b7921a3bfef460f8602467ac0dca9561032)
-rw-r--r-- | source4/smb_server/reply.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/source4/smb_server/reply.c b/source4/smb_server/reply.c index eb75ab08c7..9c7d027f4a 100644 --- a/source4/smb_server/reply.c +++ b/source4/smb_server/reply.c @@ -892,8 +892,14 @@ void reply_read_and_X(struct smbsrv_request *req) io->readx.in.offset = IVAL(req->in.vwv, VWV(3)); io->readx.in.maxcnt = SVAL(req->in.vwv, VWV(5)); io->readx.in.mincnt = SVAL(req->in.vwv, VWV(6)); - io->readx.in.maxcnt |= IVAL(req->in.vwv, VWV(7)) << 16; io->readx.in.remaining = SVAL(req->in.vwv, VWV(9)); + + if (req->smb_conn->negotiate.client_caps & CAP_LARGE_READX) { + uint32_t high_part = IVAL(req->in.vwv, VWV(7)); + if (high_part == 1) { + io->readx.in.maxcnt |= high_part << 16; + } + } /* the 64 bit variant */ if (req->in.wct == 12) { |